tcpdump cut frame tool

A, tcpdump Introduction

Linux, tcpdump is a powerful tool cut frame, about the equivalent of wireshark under the windows, but the operating mode is the command line, you need to be familiar Linux command line.

Commonly used Linux distributions are basically already comes with tcpdump, if not you can tcpdump official website to download and install, the official website only provides the source code, you need to download after compiling. Specific compile way not described here.

Two, tcpdump commonly used parameters introduced

The following lists the common parameters of tcpdump:

• -a convert network and broadcast addresses to names
• -A taken to ASCⅡ format data frame
• -C num num intercepted after stopping of data
• -C file-size used in conjunction with -w file, if the file size exceeds, file-size is a newly created file
• -D list all network interfaces may be used to cut tcpdump packet. Serial Interface or interface name can be displayed - i designated
• -q fast output, only the less information
• -w to save the output to a file, you can use wireshark analysis in the windows
• -r packets read from the specified file, typically used for reading the parameter save file -w
• -i specify which network card captured data packets, such as the need to grab all the cards use -i any
• -x displayed in hexadecimal intercepted data frame
• -nnn parameters. When using tcpdump shows -nnn parameters to disable the conversion IP, port and other domain name, well-known port corresponding service name.

Three, tcpdump expression

tcpdump expression which is used to set the packet is printed to the command line, if you do not set all captured network packets will be printed on the filter expression, otherwise, only to meet a conditional expression of the data packet is printed.

In the general expressions There are several types of keywords

• About the types of keywords, host, net, port, ip> proto, protochain etc.

• Determining a transmission direction key, including src, dst, dst or src, dst and src etc.

• Keywords agreement, ip, arp, rarp, tcp, udp>, icmp, http, etc.

The basic format for the expression 协议+[传输方向]+类型+ 具体数值, see specific examples of the use.

ip src host 192.168.0.1
tcp port 1883

Fourth, examples

1. Grab a packet of all network adapters

   tcpdump -i any

2. Fetch port 1883 packets

   tcp dump -i eth0 port 1883        # 1883 端口的所有数据包 
   tcp dump -i eth0  tcp port 1883   # 1883 端口的所有tcp数据包 
   tcp dump -i eth0  udp port 1883   # 1883 端口的所有udp数据包 

3. Ip crawl source packet is 172.30.20.10

   tcpdump -i eth0 src host 172.30.20.10

4. Gripping the destination address packet is 172.30.20.10

   tcpdump -i eth0 dst host 172.30.20.10

5. Ip ripper is 172.30.20.10 and destination port is a packet of 22

   tcpdump -i eth0  src host172.30.20.10 and dst port 22

6. Ip ripper is 172.30.20.10 and destination port is a packet of 22

   tcpdump -i eth0 -vnn src host 172.30.20.10 or port 22

7. Ip is the fetch packet source and destination port is not 172.30.20.10 22

   tcpdump -i eth0 -vnn src host 172.30.20.10  and not port 22

8. Grab packets of eth0 network card and save it to a file

   tcpdump -i eth0  -w data.cap
   

9. Grab 100 data card eth0 and saved to a file

   tcpdump -i eth0 -c 100 -w data.cap
   

10. Fetch packet protocol ip

    tcpdump -i eth0 ip